Unprivileged LXC and grsecurity kernel

4 posts / 0 new

#1 Sat, 2017-03-04 09:57

fludardes

Offline
Last seen: 11 months 17 hours ago
Joined: 2017-03-04

Hello. Excuse me, please, but it seems that there is some kind of incompatibility between grsec kernel variants and the use of unprivileged LXC containers... Or maybe I do something wrong.

I try to create such container with command

# lxc-create -B btrfs -f /etc/lxc/default.conf -n alpine_1 -t download -- -d alpine -r 3.4 -a i386

/etc/lxc/default.conf I have created and changed to something like:

# Alpine fix from /etc/lxc/lxc.conf
lxc.cgroup.use = @kernel
...
# Mapping
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

The root user has a subuid and subgid range.
But I receive an error:

newuidmap: Target process 2106 is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:30
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: create_run_template: 1290 container creation template for ... failed
lxc-create: tools/lxc_create.c: main: 318 Error creating container

Maybe, this github issue is related to the problem...
It works with vanilla kernel on Alpine Linux, also it works on Arch Linux with grsec kernel from their repo (their version is built without GRKERNSEC_SYSFS_RESTRICT)
I just hope - is there some workaround without kernel rebuild? Sorry.

Alpine Linux v3.5, kernel: 4.4.52-0-virtgrsec
Thanks.

#2 Sun, 2017-04-16 23:01

z33ky

Offline
Last seen: 11 months 2 weeks ago
Joined: 2014-06-13

Try booting with the kernel parameter grsec_sysfs_restrict=0.

On top of that you might also need to set

kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0

via sysctl.

Alpine version 3.5 (both container and host) works for me in this configuration.

#3 Wed, 2017-04-19 20:42 (Reply to #2)

fludardes

Offline
Last seen: 11 months 17 hours ago
Joined: 2017-03-04

Oh, thanks a lot! Without that I had to compile a custom kernel. Maybe, it will be nice to have a hint for this in Wiki.

#4 Sun, 2018-03-25 03:14

RobertoRama

Offline
Last seen: 4 days 13 hours ago
Joined: 2017-05-18

I'm running linux-hardened on edge and it doesn't work here on unprivileged containers on lxd with above mentioned grsec relaxations. Actually, i've disabled all grsec settings available in sysctl as a matter of panic mode (+kernel cmdline). But i still get the same errors like above. Vanilla kernel works fine indeed.
Someone mentioned that the kernel cmdline option is not effective at all: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888702. Not sure if that's the same problem.

Anyone tested lxc/lxd lately on edge or 3.7 with hardened kernel?

$ lxc init images:alpine/edge alpine
Creating alpine
$ lxc start alpine
error: Failed to run: /usr/sbin/lxd forkstart alpine /var/lib/lxd/containers /var/log/lxd/alpine/lxc.conf: 
Try `lxc info --show-log alpine` for more info

$ lxc info --show-log alpine
lxc 20180325004908.619 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
lxc 20180325004908.619 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
lxc 20180325004908.970 ERROR    lxc_conf - conf.c:lxc_map_ids:2736 - newuidmap failed to write mapping "newuidmap: Target process 2333 is owned by a different user: uid:0 pw_uid:0 st_uid": newuidmap 2333 0 100000 65536
lxc 20180325004908.970 ERROR    lxc_start - start.c:lxc_spawn:1276 - Failed to set up id mapping.
[...]